Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:decryption [2021/05/04 07:36] – bstafford
+++ paloaltonetworks:configuration:decryption [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 45: / Line 45: @@
 =====Decryption Profile=====
-* Consider appending certificate CN value to SAN extension.
+  * Consider appending certificate CN value to SAN extension.
-* Consider blocking RSA and DHE
+  * Consider blocking RSA and DHE
-* Consider allowing GCM only and SHA256 and higher only.
+  * Consider allowing GCM only and SHA256 and higher only.
-* Strip ALPN for HTTP Header Insertion and Clientless VPN.
+  * Strip ALPN for HTTP Header Insertion and Clientless VPN.
 Remember, if you want the firewall to actually check the status of certificates, you have to enable that at
@@ Line 54: / Line 54: @@
 Skype for Business will break if you tick ''block session with unsupported versions''.
+Random sites with two certificate chains will break if you tick "block expired certs" if one of the chains expires. This applies even if you only block expired certs on "no decrypt" sites.
 =====Get Firefox to Use System CA Store=====
@@ Line 72: / Line 74: @@
 <code>watson.telemetry.microsoft.com
 watson.microsoft.com</code>
+For Chromebooks to access the Internet (Aug 2021)
+<code>accounts.google.com/
+chrome.google.com/
+connectivitycheck.android.com/
+*.ggpht.com/</code>
 For Cortex XDR Traffic:
 <code>*.traps.paloaltonetworks.com
@@ Line 288: / Line 297: @@
 To see what SSL/TLS protocls are in use on a server, use this command
 <code>nmap --script ssl-enum-ciphers -p 443 1.1.1.1</code>
+===== Download Certificate =====
+<code>openssl s_client -showcerts -servername www.example.com -connect www.example.com:443</code>
 ===== Inbound Inspection Limitation =====
@@ Line 379: / Line 389: @@
 Microsoft list their root and intermediate certificates [[https://docs.microsoft.com/en-gb/microsoft-365/compliance/encryption-office-365-certificate-chains?|here]].
+===== Sophos Decryption Exception =====
+List of URLs that Sophos excludes from decryption
+  * adobe.com
+  * ecure.echosign.com
+  * agni.lindenlab.com
+  * atl.citrixonline.com
+  * authentication.citrixonline.com
+  * iad.citrixonline.com
+  * citrixonlinecdn.com
+  * las.citrixonline.com
+  * live.citrixonline.com
+  * ord.citrixonline.com
+  * sjc.citrixonline.com
+  * fra.citrixonline.com
+  * ams.citrixonline.com
+  * servers.citrixonline.com
+  * play.google.com
+  * tpncs.simplifymedia.net
+  * tpnxmpp.simplifymedia.net
+  * gotomeeting.com
+  * icloud.com
+  * apple.com
+  * gsa.apple.com
+  * gsas.apple.com
+  * itunes.apple.com
+  * ess.apple.com
+  * gc.apple.com
+  * appstore.com
+  * courier.sandbox.push.apple.com
+  * swscan.apple.com
+  * itwin.com
+  * livemeeting.com
+  * logmein.com
+  * secure.logmeinrescue.com
+  * mozilla.org
+  * packetix.net
+  * pgiconnect.com
+  * softether.com
+  * telex.cc
+  * vedivi.com
+  * vudu.com
+  * adobelogin.com
+  * android.com
+  * bitdefender.com
+  * bitdefender.net
+  * books.google.com
+  * drive.google.com
+  * cloudmosa.com
+  * crsi.symantec.com
+  * central.avsi.symantec.com
+  * services-prod.symantec.com
+  * shasta-mr-healthy.symantec.com
+  * login.norton.com
+  * nds.norton.com
+  * stats.norton.com
+  * zpi.nortonzone.com
+  * central.nrsi.symantec.com
+  * ent-shasta-mr-clean.symantec.com
+  * ent-shasta-rrs.symantec.com
+  * vip.symantec.com
+  * tses.symantec.com
+  * www.nortonzone.com
+  * dochub.com
+  * dropbox.com
+  * dropcam.com
+  * fedoraproject.org
+  * informaticacloud.com
+  * informaticaondemand.com
+  * infra.lync.com
+  * activation.sls.microsoft.com
+  * messenger.live.com
+  * lr.live.net
+  * account.live.com
+  * accounts.mesh.com
+  * update.microsoft.com
+  * storage.mesh.com
+  * sls.microsoft.com
+  * windowsupdate.microsoft.com
+  * windowsupdate.com
+  * phonefactor.com
+  * logentries.com
+  * mzstatic.com
+  * onepagecrm.com
+  * osdimg.com
+  * pathviewcloud.com
+  * periscope.tv
+  * postlm.com
+  * postls.com
+  * two.postls.com
+  * quip.com
+  * rhn.redhat.com
+  * rooms.hp.com
+  * securewebportal.net
+  * sharpcast.com
+  * silentcircle.com
+  * silentcircle.net
+  * snapchat.com
+  * table14.fr
+  * urlcloud.paloaltonetworks.com
+  * vagrantcloud.com
+  * verisign.com
+  * wdcdn.net
+  * wiredrive.com
+  * whatsapp.net
+  * whispersystems.org
+  * wildfire.paloaltonetworks.com
+  * anywhere2.telus.com
+  * api.twitter.com
+  * auth.gfx.ms
+  * auth2.triongames.com
+  * autoupdate.opera.com
+  * bitbucket.org
+  * discordapp.com
+  * login.kaseya.net
+  * myquickcloud.com
+  * notify.mql5.com
+  * updates.metaquotes.net
+  * novafusion.ea.com
+  * owner-api.teslamotors.com
+  * portal.aws.amazon.com
+  * secure.hp-ww.com
+  * softwareupdate.vmware.com
+  * sp.cwfservice.net
+  * sso.8x8.com
+  * vm.8x8.com
+  * www.origin.com
+  * sophos.com
+  * sophosxl.com
+  * sophosxl.net
+  * sophosupd.com
+  * sophosupd.net
+  * mojave.net
+  * alert.hitmanpro.com
+  * tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
+  * tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
+  * tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
+  * tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
+  * mp.microsoft.com
+  * wdcp.microsoft.com
+  * definitionupdates.microsoft.com
+  * go.microsoft.com
+  * smartscreen.microsoft.com
+  * wns.windows.com
+  * logmeinrescue-enterprise.com
+  * duosecurity.com
+  * agentsmith.akamai-access.com